Users of Citrix Systems' GoToMyPC remote desktop access service were forced to change their passwords following what company officials called a "very sophisticated password attack" in which hackers tried to use usernames and passwords leaked from other Websites to access GoToMyPC accounts.
Citrix security officials responded by forcing all users of the service to reset their passwords. The company first issued a notice June 18, and users coming onto the service this week were notified that their passwords were no longer operational and they would have to create new passwords.
According to the updated notice Citrix issued this week, the damage from the attack was minimal. Company security officials said that no sensitive customer data—including credit card information—was exposed during the incident. However, they added they were continuing to investigate the issue and that they will let users know the results of the probe after it's completed.
No other Citrix services were included in the attack, company officials said. The GoToMyPC service is used to gain remote access to home and work PCs over the Web.
They did not say how many people were impacted by the password reuse attack. According to reports, some users over the weekend found they couldn't sign onto their account and were being asked to reset their passwords. Soon after, Citrix issued the warning that the site was under attack and steps users could take to protect themselves.
"We have experienced an issue which requires you to reset your password if you are having trouble logging into your account," the post said. "Please reset your password through the 'Forgot Password' link if you are having trouble logging into your account."
Soon afterward, that suggested password reset became a mandatory one, with the GoToMyPC security officials resetting all passwords and forcing users to go in and reset them. Citrix officials made recommendations for creating highly secure passwords (don't use a word from the dictionary or use the same password in more than one place, use eight or more characters and make it complex by randomly adding capital letters, punctuation or symbols) and offered the option of using two-step verification.
Passwords are seen as a particularly vulnerable point in the larger information security environment, due in part to how consumers use them. In a recent Mail.com survey released earlier this month, one in 10 Americans said they never change their passwords, and 38 percent alter their passwords on an average of every six months. In addition, 20 percent use the same password for most or all of their Internet services; only 23 percent use different passwords for different services.
Fifty-eight percent of respondents said they store passwords in their head, while 15 percent write them on a piece of paper. Another 5 percent save passwords in their browser, and only 9 percent use password management software.
"There are two main reasons Americans are so negligent when it comes to passwords: first, the sharply increasing number of Internet services that require an authentication with passwords, and second, the missing knowledge on password security," Martin Wilhelm, public relations manager for Mail.com, told eWEEK. "People choose passwords that are easy to remember because it's much more comfortable than handling a complex and individual password for a variety of different services. What they don't have in mind is that they run the risk of losing all their data on the Internet once this password has been spied out by Internet criminals."